Let me restate what you are trying to do. Select multiple values of prefix from the lookup. Perform the search that filters on values of IPC that equals to any of selected prefix. Is this correc...
See more...
Let me restate what you are trying to do. Select multiple values of prefix from the lookup. Perform the search that filters on values of IPC that equals to any of selected prefix. Is this correct? Based on your mock SPL, IPC is already extracted at search time. You don't need a second pipe to search for it. Let me first give you a mock dashboard using your search. Then, I will show a demo dashboard using emulations to show how it works. <form version="1.1">
<label>Multivalue input</label>
<description>https://community.splunk.com/t5/Splunk-Search/Passing-a-mutiple-values-of-label-in-input-dropdown/m-p/706304</description>
<fieldset submitButton="false">
<input type="multiselect" token="my_token" searchWhenChanged="true">
<label>select all applicable</label>
<choice value="*">All</choice>
<initialValue>*</initialValue>
<fieldForLabel>displayname</fieldForLabel>
<fieldForValue>prefix</fieldForValue>
<search>
<query>| inputlookup site_ids.csv</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<delimiter>,</delimiter>
</input>
</fieldset>
<row>
<panel>
<table>
<title>token value: >$my_token$<</title>
<search>
<query>index=abc sourcetype=sc* IPC IN ($my_token$)
| fields _time index Eventts FIELD* IPC</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form> This should deliver the functionality you described. Note I moved your filter into index search. This is more efficient. I also do not know why you list source in the first fields command but then remove this field in the last fields command. So I also removed these. Anyway, let me demonstrate the functionality with an emulation of these events FIELD1 FIELD2 IPC 2 stuff 23456789 4 more stuff 78945612 6 stuff 2 12356789 8 even more stuff 56897412 5 and stuff 78945612 14 and more stuff 23456789 9 even more 12356789 Play with the following dashboard and compare with real data. <form version="1.1">
<label>Multivalue input</label>
<description>https://community.splunk.com/t5/Splunk-Search/Passing-a-mutiple-values-of-label-in-input-dropdown/m-p/706304</description>
<fieldset submitButton="false">
<input type="multiselect" token="my_token" searchWhenChanged="true">
<label>select all applicable</label>
<choice value="*">All</choice>
<initialValue>*</initialValue>
<fieldForLabel>displayname</fieldForLabel>
<fieldForValue>prefix</fieldForValue>
<search>
<query>| makeresults format=csv data="displayname,prefix
abc12,23456789
qwe14,78945612
rty12,12356789
yuui13,56897412"
``` the above emulates
| inputlookup site_ids.csv
```</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<delimiter>,</delimiter>
</input>
</fieldset>
<row>
<panel>
<table>
<title>token value: >$my_token$<</title>
<search>
<query>| makeresults
| eval _raw="IPC, FIELD1, FIELD2
23456789, 2, stuff
78945612, 4, more stuff
12356789, 6, stuff 2
56897412, 8, even more stuff
78945612, 5, and stuff
23456789, 14, and more stuff
12356789, 9, even more"
| multikv
| search IPC IN ($my_token$)
``` the above emulates
index=abc sourcetype=sc* IPC IN ($my_token$)```
| fields _time index Eventts FIELD* IPC</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form> If I select abc12 and yyui13, I get _time index Events FIELD1 FIELD2 IPC 2024-12-10 23:32:17 2 stuff 23456789 2024-12-10 23:32:17 8 even more stuff 56897412 2024-12-10 23:32:17 14 and more stuff 23456789 This fits exactly what you describe. In other words, I do not see any unexpected results when selecting multiple values.